I have the field count number and %, How can I set the query to run?
@Joycetran this is the use case of top command
| top <yourFieldName>
Here is a run anywhere search example based on Splunk's _internal index
index=_internal sourcetype=splunkd component=*
| top component
View solution in original post
Thank you. It works.